Placebo Legislation: Doing Good by Doing Nothing

I recently sat in on a conversation at the Silicon Flatirons Center among a group of cybersecurity experts about the need and nature of government regulation, given the vulnerability of critical infrastructure to cyber-attack, and indications that the market alone may not provide the desired degree of communal action needed for defense. I concluded that the answer was “placebo legislation”: Doing Good by Doing Nothing.

Apparently the U.S. federal government has recognized the need for action, and the Administration and leaders in Congress have proposed a number of legislative solutions. However, I ended up feeling that we’d be better off if the government pretty much did nothing given that:

A number of practitioners described how regulations too easily lead to a “compliance culture,” where statutory requirements incentivize companies to check the right boxes, rather than implement better security

White hat hackers explained that vulnerabilities and exploit strategies are evolving much, much more rapidly than any conceivable government framework

Cybersecurity is a complex and messy socio-technical system, and the unintended negative consequences of any regulation could easily outweigh the benefits

A leading computer scientist observed that the incentives for appropriate behavior were already about right – and that a process-oriented standards framework was guaranteed to drive the technical experts out of the room.

The government therefore needs to be seen to be doing something – but the less it does, the better. This is not unlike the placebo effect, where a patient given a dummy treatment experiences a true improvement in their condition – without harmful side effects.

Incremental management of reception: When protection limits are not sufficient

As the growing demand for wireless services squeezes radio operations ever closer together, we can no longer afford to ignore the costs that poor receivers and ambiguous interference standards impose on society. There’s a growing consensus that radio regulation needs to attend to reception issues as much as to transmission, which has led to a clamor for receiver standards.  As I’ve argued in the June 2011 post Receiver protection limits: a better way to manage interference than receiver standards, however, the best way to manage receivers is to specify the radio environment in which they have to operate (i.e. receiver protection limits) rather than government getting into the minutiae of setting performance requirements (i.e. receiver standards).

However, while protection limits are necessary, there may be cases where they’re not sufficient. In this post I outline a progression of increasingly interventionist steps in managing reception, starting with protection limits and adding more and more requirements until one reaches full-strength government-imposed receiver standards.